oss-sec mailing list archives
Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified
From: Marcus Meissner <meissner () suse de>
Date: Fri, 21 Nov 2014 10:49:43 +0100
On Thu, Nov 20, 2014 at 07:17:22PM +0000, mancha wrote:
On Thu, Nov 20, 2014 at 11:38:20AM -0500, Francisco Alonso wrote:Hello, It was discovered that the wordexp() function could ignore the WRDE_NOCMD flag under certain input conditions resulting in the execution of a shell for command substitution when the applicaiton did not request it. Bug report: https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2014-7817 Git commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c References: https://bugzilla.redhat.com/show_bug.cgi?id=1157689 https://sourceware.org/ml/libc-alpha/2014-11/msg00519.htmlFrancisco, thanks for the post. After a lightning review of one of my systems, I found the following use glibc's wordexp: adobe's flash plugin, ardour2, mailx, enca. I've not looked into which input is under a would-be-attacker's control.
I quickly had a look at flash-player diassembler and it calls wordexp with flags=0 in 3 places. So it even calls the unsafe variant. Ciao, Marcus
Current thread:
- CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Francisco Alonso (Nov 20)
- Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified mancha (Nov 20)
- RE: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Mehaffey, John (Nov 20)
- Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Vasyl Kaigorodov (Nov 21)
- Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Marcus Meissner (Nov 21)
- RE: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified Mehaffey, John (Nov 20)
- Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified mancha (Nov 20)